Author: markt
Date: Wed Jun 3 13:30:25 2009
New Revision: 781365
URL: http://svn.apache.org/viewvc?rev=781365&view=rev
Log:
Add CVE-2009-0033
Modified:
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-5.xml
tomcat/site/trunk/xdocs/security-6.xml
Modified: tomcat/site/trunk/docs/security-4.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Wed Jun 3 13:30:25 2009
@@ -271,6 +271,25 @@
<p>
<blockquote>
<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a>
+</p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
+ revision 781362</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
Modified: tomcat/site/trunk/docs/security-5.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-5.html (original)
+++ tomcat/site/trunk/docs/security-5.html Wed Jun 3 13:30:25 2009
@@ -233,6 +233,25 @@
<p>
<blockquote>
<p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a>
+</p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
+ revision 781362</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
Modified: tomcat/site/trunk/docs/security-6.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Wed Jun 3 13:30:25 2009
@@ -216,8 +216,8 @@
<tr>
<td bgcolor="#525D76">
<font color="#ffffff" face="arial,helvetica,sanserif">
-<a name="Fixed in Apache Tomcat 6.0.SVN">
-<strong>Fixed in Apache Tomcat 6.0.SVN</strong>
+<a name="Fixed in Apache Tomcat 6.0.20">
+<strong>Fixed in Apache Tomcat 6.0.20</strong>
</a>
</font>
</td>
@@ -227,6 +227,32 @@
<p>
<blockquote>
<p>
+<i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
+ vote for that release candidate did not pass. Therefore, although users
+ must download 6.0.20 to obtain a version that includes fixes for these
+ issues, 6.0.19 is not included in the list of affected versions.</i>
+</p>
+
+ <p>
+<strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a>
+</p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=742915&view=rev";>
+ revision 742915</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
+ <p>
<strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a>
@@ -241,7 +267,7 @@
revision 750924</a>.</p>
<p>Affects: 6.0.0-6.0.18</p>
-
+
</blockquote>
</p>
</td>
Modified: tomcat/site/trunk/xdocs/security-4.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-4.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml (original)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Jun 3 13:30:25 2009
@@ -44,6 +44,23 @@
</section>
<section name="Fixed in Apache Tomcat 4.1.SVN">
+ <p><strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a></p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
+ revision 781362</a>.</p>
+
+ <p>Affects: 4.1.0-4.1.39</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
Modified: tomcat/site/trunk/xdocs/security-5.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-5.xml (original)
+++ tomcat/site/trunk/xdocs/security-5.xml Wed Jun 3 13:30:25 2009
@@ -29,6 +29,23 @@
</section>
<section name="Fixed in Apache Tomcat 5.5.SVN">
+ <p><strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a></p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=781362&view=rev";>
+ revision 781362</a>.</p>
+
+ <p>Affects: 5.5.0-5.5.27</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=781365&r1=781364&r2=781365&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Jun 3 13:30:25 2009
@@ -22,7 +22,29 @@
</section>
- <section name="Fixed in Apache Tomcat 6.0.SVN">
+ <section name="Fixed in Apache Tomcat 6.0.20">
+ <p><i>Note: These issues were fixed in Apache Tomcat 6.0.19 but the release
+ vote for that release candidate did not pass. Therefore, although users
+ must download 6.0.20 to obtain a version that includes fixes for these
+ issues, 6.0.19 is not included in the list of affected versions.</i></p>
+
+ <p><strong>Important: Denial of Service</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033";>
+ CVE-2009-0033</a></p>
+
+ <p>If Tomcat receives a request with invalid headers via the Java AJP
+ connector, it does not return an error and instead closes the AJP
+ connection. In case this connector is member of a mod_jk load balancing
+ worker, this member will be put into an error state and will be blocked
+ from use for approximately one minute. Thus the behaviour can be used
for
+ a denial of service attack using a carefully crafted request.</p>
+
+ <p>This was fixed in
+ <a href="http://svn.apache.org/viewvc?rev=742915&view=rev";>
+ revision 742915</a>.</p>
+
+ <p>Affects: 6.0.0-6.0.18</p>
+
<p><strong>low: Cross-site scripting</strong>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781";>
CVE-2009-0781</a></p>
@@ -36,7 +58,7 @@
revision 750924</a>.</p>
<p>Affects: 6.0.0-6.0.18</p>
-
+
</section>
<section name="Fixed in Apache Tomcat 6.0.18">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
